Preventing data loss is one of the biggest challenges facing any CIO today. The problem is that data protection is impossible. From the moment data is generated it is at risk of being misused, falling into the wrong hands, being sold to industrial spies, or simply falling off the back of a truckliterally. Protecting all data, from inception to final back-up and storage is not just difficult, its not feasible.
The first issue facing the organization is determining which data to protect. Everything is not an acceptable segmentation. Most organizations start with personally identifiable information (PII) which includes names, addresses, birthdates, social security number, employment records, and health records of customers, employees, or the general populace. It is the loss of these records that has given rise to the current spate of public disclosures of data loss. A
Check out this site (http://www.privacyrights.org/ar/ChronDataBreaches.htm) for a continuously updated list of major data losses by
Just protecting something as simple to find and segregate as PII is a daunting task. Best practice is to encrypt just the columns in a data base that contain SSNs, credit cards, and other PII. That avoids the mass theft of data as in the infamous TJX loss of 90 million credit card records. But what about when someone accesses the database? Can they write a script to systematically mine the database to pull that info? Can they subscribe to that database as some Nigerian entrepreneurs did to Choice Point, the credit agency?
What if the data is more than PII? Plans for a new missile for instance? Or internal financial discussions about an upcoming acquisition? Chemical formulae? Trade secrets? Quarterly results? The crop report? Salaries of executives?
I mention the last because when Lee Iacocca was negotiating major concessions from the UAW, a union janitor in the data center happened upon a greenbar print out of all of the top executives salaries. It put Iacocca in a very uncomfortable position when those high figures where made known.
Once you have identified the information you want to protect how do you prevent it from leaking? There are vendors who provide products that search your internal network, find certain types of critical data, tag it, and then block it from leaving via the network. That plus a huge hole. Just make sure you have deployed gateway filters over email, IM, file transfer, Web forms, and VoIP.
What about small storage devices like USB thumb drives, hard drives, PDAs, even cell phones and iPods? There is the case of the Indian IT worker at the secret intelligence agency who delivered stolen data to a